IRS Logo

10.5.1  Privacy Policy

Manual Transmittal

March 10, 2017

Purpose

(1) This revises the Internal Revenue Manual (IRM) 10.5.1, Privacy and Information Protection, Privacy Policy. The IRM provides an introduction to Privacy, Governmental Liaison and Disclosure (PGLD) and a foundation for IRS privacy policy.

Background

IRM 10.5.1 is part of the Security, Privacy and Assurance policy family, IRM Part 10 series for IRS Privacy and Information Protection.

Material Changes

(1) This version incorporated these Interim Guidance (IG) Memos:

  1. Interim Guidance Memo # PGLD-10-0616-0003, Using IRS and Personal Email Accounts , dated June 21, 2016, revises IRM 10.5.1, Privacy Policy.

  2. Interim Guidance Memo # PGLD-10-0816-0005, Shared Drives, dated August 31, 2016, revises IRM 10.5.1, Privacy Policy.

(2) Updated Limiting Sharing of SBU Data section (10.5.1.6.1.3) to align with email policy.

(3) Reorganized Email section (10.5.1.6.5) for clarity and flow.

(4) Standardized terminology to tax information (formerly taxpayer information, taxpayer data).

(5) Removed SPIIDE section.

(6) Updated hyperlinks throughout.

Effect on Other Documents

This version supersedes IRM 10.5.1, dated June 15, 2016. Also, this IRM supports other IRMs in the 10.5 family.

This IRM incorporates the following Interim Guidance Memoranda: PGLD-10-0616-0003 , Using IRS and Personal Email Accounts, dated June 21, 2016; and PGLD-10-0816-0005, Shared Drive Privacy Policy, dated August 31, 2016.

Audience

IRM 10.5.1 addresses all IRS personnel responsible for ensuring adequate privacy and information protection for all Sensitive But Unclassified (SBU) data, including taxpayer and employee Personally Identifiable Information (PII). This policy applies to all employees, contractors, and vendors of the IRS.

Effective Date

(03-10-2017)

Frances Kleckley
Director, Privacy Policy and Compliance (PPC)

10.5.1.1  (03-10-2017)
Overview

  1. This IRM serves as the framework for IRS privacy policy and an introduction to Privacy, Governmental Liaison and Disclosure (PGLD).

  2. This policy establishes the privacy context for the development of related subordinate IRMs, IRS publications, and subordinate procedural guidance such as Standard Operating Procedures (SOP) and Desk Procedures.

  3. Subordinate IRMs offer additional privacy program protection information.

  4. Subordinate procedural guidance provides detailed guidance for implementing and complying with the requirements within this IRM. For further information, see PGLD’s website:
    https://organization.ds.irsnet.gov/sites/vldp/default.aspx

  5. If IRM 10.5.1 conflicts with or varies from the subordinate IRMs in the 10.5 series or guidance, IRM 10.5.1 has precedence, unless the subordinate IRM is more restrictive or otherwise noted.

  6. This policy assigns responsibilities and lays the foundation necessary to measure privacy progress and compliance.

  7. In an effort to reference the origin of a privacy policy cited later in this IRM (National Institute of Standards and Technology (NIST), Treasury, etc.), this IRM may reference a requirement’s origin in brackets at the end of the guidance, such as [PVR-xx] (IRS Privacy Principles and Privacy Requirements), [AP-01] (NIST Privacy Controls), or [TD P 25-07] (Treasury Directive Publications).

  8. This IRM lays the foundation to:

    1. Protect the privacy of Sensitive But Unclassified (SBU) data for taxpayers and employes, including personally identifiable information (PII), such as federal tax information (FTI), tax return, financial, and employment information.

    2. Collect, maintain, use, access, and disseminate SBU data only as authorized by law (cited later in this IRM) and as necessary to fulfill agency responsibilities.

    3. Destroy SBU data when no longer required for business use, in a secure manner to protect privacy.

    4. Implement and maintain a strong privacy program, which enables the IRS to provide e-government services.

  9. For the purpose of this IRM, the following terms apply. Hereinafter, this IRM refers to IRS employees, which includes all categories below:

    1. IRS personnel or users, which includes:
      1. Employees
      2. Consultants
      3. Detailees
      4. Temporary employees
      5. Interns
      6. IRS contractors

    2. Authorized or Unauthorized personnel applies to all IRS personnel being authorized or unauthorized to perform a particular action.

10.5.1.1.1  (06-15-2016)
Purpose

  1. This IRM defines the uniform policies used by IRS employees and organizations to carry out their responsibilities related to privacy.

  2. This IRM establishes the minimum baseline privacy policy and requirements for all IRS SBU data assets in order to:

    1. Ensure the protection and proper use of SBU data of the IRS.

    2. Prevent unauthorized access to SBU data of the IRS.

    3. Enable operation of IRS environments and business units that meet the requirements of this policy and support the business needs of the organization.

  3. It is acceptable to employ practices that are more restrictive than those defined in this IRM.

  4. It is the policy of the IRS:

    1. To establish and manage privacy practices within all offices to create a culture of privacy. This manual provides uniform policies and guidance to be used by all offices.

    2. To protect SBU data of the IRS at a level commensurate with the risk and magnitude of harm that could result from loss, misuse, or unauthorized access to that information.

    3. To protect SBU data and allow the use, access, and disclosure of information in accordance with applicable laws, policies, federal regulations, Office of Management and Budget (OMB) Circulars, Treasury Directives (TDs), National Institute of Standards and Technology (NIST) Publications, other regulatory guidance, and best practice methodologies.

    4. To use best practices methodologies and frameworks, such as Enterprise Life Cycle (ELC) and Enterprise Architecture (EA), to document and improve IRS privacy policy efficiency and effectiveness.

10.5.1.1.2  (03-10-2017)
Authority

  1. PGLD’s Privacy Policy and Knowledge Management (PPKM) implements relevant privacy laws, mandates, and OMB Memos.

  2. The primary laws and mandates are:

    • Privacy Act (1974).

    • Computer Matching and Privacy Protection Act (1988).

    • Freedom of Information Act (FOIA) (1974).

    • Internal Revenue Code (§6103).

    • The Taxpayer Browsing Protection Act (1997) (UNAX).

    • Federal Information Security Management Act of 2014 (FISMA).

    • E-Government Act (2002).

    • Health Insurance Portability and Accountability Act (1996) (HIPAA).

  3. The relevant OMB Memos are:

    • M–03–22 – Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002.

    • M–05–08 – Designation of Senior Agency Officials for Privacy.

    • M–06–15 – Safeguarding Personally Identifiable Information.

    • M–06-16 – Protection of Sensitive Agency Information.

    • M–07–16 – Safeguarding Against and Responding to a Personally Identifiable Information Breach.

    • M–10-22 – Guidance for Online Use of Web Measurement and Customization Technologies.

    • M–10–23 – Guidance for Agency Use of Third-Party Websites and Applications.

    • M–14–04 – Fiscal Year 2013 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management.

  4. Relevant NIST guidance includes:

    • SP 800-53 Rev. 4, Security and Privacy Controls for Federal Information Systems and Organizations, April 2013.
      Appendix J

    • SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII).

  5. The relevant Department of Treasury directives and publications are:

    • Treasury Directive Publication (TD P) 25-07 (draft), Privacy and Civil Liberties Impact Assessment (PCLIA) Manual.

    • TD P 85–01, Treasury Information Technology (IT) Security Program, November 5, 2015.

  6. For a full listing of Privacy Laws, mandates, OMB Memos, Treasury directives and publications, and other documents relevant to this IRM, see Exhibit 10.5.1-2, References.

10.5.1.1.3  (06-15-2016)
Scope

  1. This IRM covers Servicewide privacy policy, including but not limited to:

    1. Definition of SBU data, including PII.

    2. IRS Privacy Principles.

    3. Servicewide privacy roles and responsibilities.

    4. Privacy guidance on topics such as email, telework, and contractors.

    5. Introduction to privacy-related programs.

  2. The provisions in this manual apply to:

    1. All offices and business, operating, and functional units within the IRS.

    2. Individuals and organizations having contractual arrangements with the IRS, including employees, interns, detailees, contractors, subcontractors, vendors, and outsourcing providers, with any access to SBU data.

      Note:

      This IRM covers all sensitive data used and operated by and on behalf of the IRS no matter what stage of the IT lifecycle it is in (i.e., production, pre-production, and post-production systems).

    3. All IRS SBU data (for SBU data that is also considered classified information, see IRM 10.9.1, National Security Information, for additional procedures for protecting classified information).

10.5.1.2  (03-10-2017)
Introduction to Privacy, Governmental Liaison and Disclosure (PGLD)

  1. The mission of Privacy, Governmental Liaison and Disclosure (PGLD) is to preserve and enhance public confidence by advocating for the protection and proper use of identity information.

  2. The security and privacy of taxpayer and employee information is one of the IRS's highest priorities. PGLD administers privacy and records policy and initiatives and coordinates privacy and records-related actions throughout the IRS.

  3. PGLD is committed to ensuring the protection of SBU data, including taxpayer and employee PII, from unauthorized access. The organization identifies and reduces threats to privacy and increases awareness of criminal activities aimed at compromising this information. PGLD also leads IRS privacy and records policies, coordinates privacy protection guidance and activities, responds to privacy complaints, and promotes data protection awareness throughout the IRS. [IP-4]

  4. The following offices comprise PGLD:

    • Governmental Liaison, Disclosure and Safeguards (GLDS)

    • Privacy Policy and Compliance (PPC).

    • Identity and Records Protection (IRP).

    • Program Planning and Support (PPS).

    These programs support IRS efforts to earn and keep the highest degree of public confidence in its integrity, efficiency, and fairness.

  5. For more information about PGLD, refer to the PGLD website:
    https://organization.ds.irsnet.gov/sites/vldp/default.aspx

10.5.1.2.1  (06-15-2016)
Governmental Liaison, Disclosure and Safeguards

  1. Governmental Liaison, Disclosure and Safeguards (GLDS) includes the following offices:

    1. Data Services receives all incoming Disclosure and Safeguards requests, manages inventory through automated applications and produces statistical reports and measures, coordinates data sharing agreements and secure transfer of data to government agencies and administers the reimbursable data exchange program.

    2. Disclosure provides timely public access to IRS records in accordance with applicable disclosure laws.

    3. Governmental Liaison (GL) partners with federal, state, and local governmental agencies and congressional offices to increase compliance, enforcement, and service to taxpayers.

    4. Safeguards ensures IRS employees and external partners protect confidential tax and privacy information, and provides oversight and outreach to more than 300 local, state and federal agencies receiving federal tax information.

10.5.1.2.2  (06-15-2016)
Privacy Policy and Compliance

  1. Privacy Policy and Compliance (PPC) includes the following offices:

    1. Privacy Policy and Knowledge Management (PPKM) issues privacy policy to promote privacy protection, compliance, and awareness.

    2. Privacy Compliance and Assurance (PCA) manages privacy compliance programs, such as the Privacy and Civil Liberties Impact Assessment (PCLIA) process. See IRM 10.5.2, Privacy Compliance and Assurance (PCA) Program, for more details on these programs.

    3. Incident Management (IM) manages incidents involving the loss or theft of an IRS asset, or loss, theft, or disclosure of PII, and ensures data loss incidents are investigated, analyzed, and resolved. It oversees the IRS’s PII Incident Notification process for notifying affected taxpayers and employees.

    4. Employee Protection (EP) administers programs that track potentially dangerous taxpayers and those who should be approached with caution.

10.5.1.2.3  (03-10-2017)
Identity and Records Protection

  1. Identity and Records Protection (IRP) includes the following offices:

    1. Records Management provides guidance in the creation, maintenance, retrieval, preservation and disposition of all IRS records.

    2. Information Protection Projects provides a structured governance process for PGLD technology and business improvement projects that are aimed at protecting SBU data.

10.5.1.2.4  (03-10-2017)
Program and Planning Support

  1. Program and Planning Support (PPS) includes the Human Capital & Technology Support (HC&T) office, which manages PGLD human capital, budget, and technology issues.

10.5.1.3  (06-15-2016)
Key Privacy Definitions

  1. To support the IRS mission, understanding the following key definitions is essential.

10.5.1.3.1  (03-10-2017)
Sensitive But Unclassified (SBU) Data

  1. Sensitive But Unclassified (SBU) data is any information which if lost, stolen, misused, or accessed or altered without proper authorization, may adversely affect the national interest or the conduct of federal programs (including IRS operations), or the privacy to which individuals are entitled under the Privacy Act.

  2. SBU data includes, but is not limited to:

    1. Tax information (Federal Tax Information (FTI)), PII, Protected Health Information (PHI), certain procurement information, system vulnerabilities, case selection methodologies, systems information, enforcement procedures, investigation information.

    2. Live data, which is defined as production data in use. Live means that when changing the data, it changes in production. The data may be extracted for testing, development, etc., in which case, it is no longer "live" . Live data often contains SBU data.

  3. All employees must protect SBU data. Employees must restrict access, inspection, and disclosure of SBU data to other IRS employees who have a need to know the information. [PVR-05]

    1. See IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance, controls about Access Controls and Least Privilege for information about limiting access to only people who have a need to know the information.

    2. See IRM 11.3.22, Disclosure of Official Information, Disclosure to Federal Officers and Employees for Tax Administration Purposes, for information about Access by IRS Employees Based on Need to Know.

  4. SBU data includes subsets of protected information which many employees handle on a daily basis, such as PII and tax information. It also includes other subsets, such as procurement and systems information.

  5. Employees should determine if the SBU data is necessary to do business (does it support the business purpose of the system or the organization‘s mission?). If it does not serve a valid business purpose, then the IRS must not collect that SBU data. If that SBU data does serve a business purpose, then the IRS should collect, use, store, and disseminate it appropriately. For more information, see the IRS Privacy Principles section of this IRM. [Privacy Act; PVR-02; PVR-03]

  6. SBU data in a public record is still SBU data, however different protections apply. See the Public Record section of this IRM.

  7. For more information on PII, see the Protecting and Safeguarding SBU Data and PII section of this IRM.

10.5.1.3.1.1  (06-15-2016)
Examples of SBU Data

  1. Some examples of IRS SBU data include, but are not limited to:

    1. Personally Identifiable Information (PII).

    2. Corporate, or other business, tax return information (also classified as PII if it identifies an individual) .

    3. Federal Tax Information (FTI).

    4. Protected Health Information (PHI).

    5. Documents marked "Official Use Only" (OUO).

    6. Passwords.

    7. Certain procurement information.

    8. Budget information.

    9. Contract proposals.

    10. Criminal Investigation information.

    11. Enforcement procedures.

    12. Case selection methodologies including tolerance criteria.

    13. Proprietary processes or algorithms used in investigative work or tax processing.

    14. Systems information.

    15. System vulnerabilities.

    16. Physical security information, such as details of facility vulnerabilities (entry codes, badge access, etc.).

    17. Proprietary data (business information entrusted to the IRS).

    18. Confidential data to be released to the public at a later date.

    19. 31 U.S.C. Bank Secrecy Act protected reports filed by financial institutions.

    20. 18 U.S.C. Grand Jury information protected by Rule 6(e) of the Federal Rules of Criminal Procedure.

    21. 18 U.S.C. 1905 information protected under the Trade Secrets Act for entities (trade secrets, processes, operations, style of work, or apparatus, or to the identity, confidential statistical data, amount or source of any income, profits, losses, or expenditures of any person, firm, partnership, corporation, or association; or permits any income return or copy thereof or any book containing any abstract or particulars thereof to be seen or examined by any person except as provided by law).

10.5.1.3.1.2  (06-15-2016)
Official Use Only and Limited Official Use

  1. By definition, documents designated as "Official Use Only" (OUO) and "Limited Official Use" (LOU) contain SBU data.

  2. For more information, see IRM 11.3.12, Designation of Documents.

10.5.1.3.1.3  (06-15-2016)
Freedom of Information Act (FOIA) and SBU Data

  1. The Freedom of Information Act (FOIA) exempts most SBU data from release to the public under one of the nine exemptions listed in 5 U.S.C. § 552(b).

  2. However, the fact that IRS must release certain information if requested under FOIA does not automatically remove its status as SBU data. [FOIA]

  3. For more information, see IRM 11.3.13 , Freedom of Information Act.

10.5.1.3.2  (03-10-2017)
Personally Identifiable Information (PII)

  1. Personally Identifiable Information (PII) is any information: (1) that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

    1. To distinguish an individual is to identify an individual. For example, an individual might be distinguished by a passport identification number or Social Security Number (SSN). However, a list of credit scores without any other information concerning the individual does not distinguish the individual.

    2. To trace an individual is to process sufficient information to make a determination about a specific aspect of an individual’s activities or status, such as with an audit log.

    3. Linked information is information about or related to an individual that is logically associated with other information about the individual.

    4. Linkable information is information about or related to an individual for which there is a possibility of logical association with other information about the individual.

  2. The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified.

  3. Employees should know that non-PII can become PII whenever additional information becomes available — in any medium and from any source — that, when combined with other available information, could be used to identify an individual. [NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII); OMB Memorandum M-10-23]

  4. See the Examples of PII section of this IRM for more information.

  5. Refer to the PGLD webpage:
    https://organization.ds.irsnet.gov/sites/vldp/Privacy/PII/Pages/default.aspx

  6. PII in a public record is still PII data; however, different protections apply. To determine if PII in the public record is still SBU data, see the Public Record section of this IRM.

  7. For more information on PII, see the Protecting and Safeguarding SBU Data and PII section of this IRM.

10.5.1.3.2.1  (06-15-2016)
Examples of PII

  1. Examples of PII include, but are not limited to:

    1. Name, such as full name, maiden name, mother’s maiden name, or alias.

    2. Address information, such as street address or email address.

    3. A unique set of numbers or characters assigned to a specific individual, such as:
      1. Telephone numbers, including mobile, business, and personal numbers.
      2. SSN.
      3. Taxpayer identification number (TIN) that identifies an individual.
      4. Email or Internet Protocol (IP) address.
      5. Driver’s license number.
      6. Passport number.
      7. Financial account or credit card number.
      8. Standard Employee Identifier (SEID).
      9. Automated Integrated Fingerprint Identification System (AIFIS) identifier, booking, or detention system number.

    4. Individual tax return information.

    5. Corporate or other business tax return information that identifies an individual, such as an S-Corporation, partnership, or sole proprietorship.

    6. Personal characteristics and data, including:
      1. Date of birth.
      2. Place of birth.
      3. Age.
      4. Height.
      5. Weight.
      6. Gender.
      7. Hair color.
      8. Eye color.
      9. Race.
      10. Ethnicity.
      11. Scars.
      12. Tattoos.
      13. Distinguishing features.
      14. Religious affiliation.
      15. Sexual orientation.
      16. Gang affiliation.
      17. Photographic image (especially of face or other distinguishing characteristic).
      18. Biometric information (such as x-rays, fingerprints, retina scan, voice signature, facial geometry, DNA).

    7. Asset information, such as Media Access Control (MAC) address, Device ID, or other host-specific persistent static identifier that consistently links to a particular person or small, well-defined group of people.

    8. Descriptions of events or times (information in documents, such as police reports, arrest reports, and medical records).

    9. Descriptions of locations, such as geographic information system (GIS), GPS data, and electronic bracelet monitoring information.

    10. Information identifying personally owned property, such as vehicle registration number or title number and related information.

  2. Information about an individual that is linked or linkable to one of the above.

10.5.1.3.2.2  (03-10-2017)
Tax Information

  1. The term tax information refers to a taxpayer’s return and return information protected from unauthorized disclosure under IRC § 6103. The law defines return information as any information the IRS has about a tax return or liability determination. This return information includes, but is not limited to, a taxpayer’s:

    1. Identity.

    2. Income Payments, deductions, exemptions, or credits.

    3. Assets, liabilities, or net worth.

    4. Tax liability investigation status (whether the IRS ever investigates or examines the return).

  2. Tax information in IRS business processes comes under many names, such as FTI, IRC § 6103-protected information, taxpayer data, taxpayer information, tax return information, return information, case information, SBU data, and PII.

  3. Tax information is SBU data. IRC § 6103 protects tax information from unauthorized disclosure. When tax information relates to an individual, that SBU data is also PII. [IRC § 6103(b)(2)]

  4. See these subsections in this IRM for more information:

    • Protecting and Safeguarding SBU Data and PII.

    • Definition of SBU data.

    • Definition of PII.

  5. For more information about return information, refer to IRM 11.3.21, Disclosure of Official Information, Investigative Disclosure

10.5.1.3.2.3  (03-10-2017)
UNAX

  1. The term UNAX defines the act of committing an unauthorized access, attempted access or inspection of any tax information contained on paper or within any electronic format without a management-assigned IRS business need.

  2. The IRS created the unauthorized access, attempted access, or inspection of tax information and records (UNAX) program to implement privacy protection and statutory unauthorized access and browsing prevention requirements.

  3. For more information about UNAX, refer to IRM 10.5.5 , IRS Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) Program Policy, Guidance and Requirements.

10.5.1.3.2.4  (06-15-2016)
Privacy Act Information

  1. The Privacy Act of 1974 (Privacy Act) is at the core of IRS privacy policy. It provides certain safeguards for an individual against an invasion of personal privacy by requiring federal agencies to:

    1. Collect, maintain, use, or disseminate any record of identifiable personal information in a manner that ensures that such action is for a necessary and lawful purpose.

    2. Ensure that the information is current and accurate.

    3. Ensure that the information is for its intended use.

    4. Provide adequate safeguards to prevent misuse of such information.

  2. The Privacy Act applies to agency records retrieved by an identifier for an individual.

  3. The term “record” includes, but is not limited to, education, financial transactions, medical history, and criminal or employment history and that contains name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a fingerprint or a photograph.

  4. Privacy Act information is PII because it identifies individuals. Therefore, it is also SBU data. As with any other SBU data, disclosure must be restricted to other IRS employees who have a need to know the information. [Privacy Act]

  5. For more information on the Privacy Act, refer to IRM 11.3.14, Privacy Act General Provisions.

10.5.1.3.2.5  (06-15-2016)
Constitutionally Required Disclosures

  1. Some situations require disclosure of information, including SBU data or PII, such as criminal cases where the IRS has a constitutional obligation to disclose, upon the defendant's request, evidence material either to guilt or punishment (exculpatory evidence).

  2. For more details, refer to IRM 11.3.35, Requests and Demands for Testimony and Production of Documents.

10.5.1.3.2.6  (06-15-2016)
Public Record

  1. IRS employees must protect SBU data regardless of whether the same information is in the public record. However, less stringent protections might apply in some situations.

  2. Generally, employees must encrypt SBU data, including PII. However, encryption is not required if the IRS proactively makes it available to all employees on resource sites (including, but not limited to, Discovery Directory, Outlook Address Book, intranet, and SharePoint site collections), such as names, SEID, and business contact information. [NIST SP 800-122]

  3. Email addresses, by themselves as the method of the email conveyance, generally do not need encrypting. However, when combined with the content and attachments of an email, the email address may become SBU data.

    1. Encryption rules still apply for the body of emails and attachments.

    2. See the Email section of this IRM for more information on email.

  4. As for other SBU data and PII in the public record, the requirements are different, depending on the information.

  5. No IRC § 6103 public records exemption exists. However, the Information Which Has Become Public Record section of IRM 11.3.11, Other Information Available to the Public, discusses disclosure of matters that have become public records as a result of tax administration, such as court cases. This is referred to as the judicially created public records exception.

  6. Treasury security guidance exempts Treasury information made available proactively to the public from certain encryption controls. This implies another public records exception based on information the agency makes available to the public. [TD P 85-01, Appendix A, AC-20(3)_T.028, and MP-6(3)_T.124]

  7. The Public Information Listing (PIL) designated by OPM makes six items of information available to the public by FOIA request. These items include: [5 CFR 293.311]

    1. Employee name.

    2. Present and past position titles and occupational series.

    3. Present and past grades.

    4. Present and past annual salary rates (including awards or bonuses, etc.).

    5. Present and past official duty stations (no telework information).

    6. Position descriptions, identification of job elements, and certain performance standards (but not actual performance appraisals).

  8. However, OPM exempts release of information on employees in these sensitive positions:

    • GS-0083, Police Officer

    • GS-0512, Revenue Agent

    • GS-0930, Appeals Officer

    • GS-1169, Revenue Officer

    • GS-1171, Property Appraisal and Liquidation Specialist

    • GS-1801, General Inspection, Investigation and Compliance

    • GS-1802, Compliance Inspection and Support

    • GS-1810, General Investigating

    • GS-1811, Special Agent

  9. Employees should exercise caution and consult with PGLD regarding any questions they might have about application of a public record exception, on a case-by-case basis, prior to reducing privacy protections based on a public record exception. To request assistance or for further information, email *Privacy (privacy@irs.gov).

  10. For more information, refer to IRM 11.3.13, Freedom of Information Act.

10.5.1.4  (03-10-2017)
Key Privacy Concepts

  1. The IRS Privacy Principles and federally mandated Privacy Controls describe how the IRS protects an individual’s right to privacy.

  2. IRS Privacy Requirements, derived from IRS Privacy Principles and linked to the Privacy Controls, form the basis for privacy protection within the IRS.

  3. Adherence to IRS Privacy Principles and Requirements is mandatory for management officials responsible for protecting SBU data assets.

  4. For a listing of the IRS Privacy Requirements, refer to the Enterprise Architecture website:
    https://organization.dstest.irsnet.gov/sites/eao/framework/content/EA-Framework/Security_Privacy_Performance/Privacy_Requirements/ETA_SA_ER_Privacy%20Reqs.htm#_Toc321729091

10.5.1.4.1  (06-15-2016)
Privacy Controls

  1. The NIST Special Publication (SP) 800-53 (Rev. 4), Appendix J, outlines 26 privacy controls in eight (8) groups designed to protect privacy for the life cycle of PII. These controls establish a relationship between privacy and security controls.

  2. OMB Memorandum M-14-04 mandates implementation of Appendix J controls.

  3. The IRS applies Appendix J controls within its Privacy Principles and Privacy Requirements. See the Privacy Principles section of this IRM to view the connections.

  4. For a copy of the NIST Appendix J Privacy Controls, see Exhibit 10.5.1-3 in this IRM.

    ID Privacy Controls
    AP Authority and Purpose
    AP-1 Authority to Collect
    AP-2 Purpose Specification
    AR Accountability, Audit, and Risk Management
    AR-1 Governance and Privacy Program
    AR-2 Privacy Impact and Risk Assessment
    AR-3 Privacy Requirements for Contractors and Service Providers
    AR-4 Privacy Monitoring and Auditing
    AR-5 Privacy Awareness and Training
    AR-6 Privacy Reporting
    AR-7 Privacy-Enhanced System Design and Development
    AR-8 Accounting of Disclosures
    DI Data Quality and Integrity
    DI-1 Data Quality
    DI-2 Data Integrity and Data Integrity Board
    DM Data Minimization and Retention
    DM-1 Minimization of Personally Identifiable Information
    DM-2 Data Retention and Disposal
    DM-3 Minimization of PII Used in Testing, Training, and Research
    IP Individual Participation and Redress
    IP-1 Consent
    IP-2 Individual Access
    IP-3 Redress
    IP-4 Complaint Management
    SE Security
    SE-1 Inventory of Personally Identifiable Information
    SE-2 Privacy Incident Response
    TR Transparency
    TR-1 Privacy Notice
    TR-2 System of Records Notices and Privacy Act Statements
    TR-3 Dissemination of Privacy Program Information
    UL Use Limitation
    UL-1 Internal Use
    UL-2 Information Sharing with Third Parties

10.5.1.4.2  (06-15-2016)
IRS Privacy Principles

  1. The public trusts the IRS and its employees to protect taxpayer privacy and safeguard confidential tax information.

  2. The IRS is dedicated to meeting this expectation. All employees and contractors are required to conduct their actions in a way that reflects a commitment to treat individuals fairly, honestly, and respectfully, and protect their right to privacy at all times.

  3. Protecting taxpayer privacy and safeguarding confidential tax information is a public trust. To maintain this trust, the IRS and its employees must follow these privacy principles:

    1. Accountability

    2. Purpose Limitation

    3. Minimizing Collection, Use, Retention, and Disclosure

    4. Openness and Consent

    5. Strict Confidentiality

    6. Security

    7. Data Quality

    8. Verification and Notification

    9. Access, Correction, and Redress

    10. Privacy Awareness and Training

  4. The IRS derived the privacy principles from the Fair Information Practice Principles (FIPPs) and the Privacy Act.

  5. IRS Policy Statement 1-1 reflects these principles in IRM 1.2.10, Policy Statements for Organization, Finance and Management Activities.

10.5.1.4.2.1  (06-15-2016)
Accountability [PVR-01]

  1. All IRS employees and contractors are responsible and accountable for the effective implementation of privacy protections. [PVR-01]

  2. Related NIST 800-53 Privacy Controls include, but are not limited to:

    1. Accountability, Audit and Risk Management:
      1. AR-1: Governance and Privacy Program
      2. AR-2: Privacy Impact and Risk Assessment
      3. AR-3: Privacy Requirements for Contractors and Service Providers
      4. AR-4: Privacy Monitoring and Auditing
      5. AR-6: Privacy Reporting
      6. AR-8: Accounting of Disclosures

10.5.1.4.2.2  (06-15-2016)
Purpose Limitation [PVR-02]

  1. PII will be collected and used only when necessary and relevant for legitimate IRS purposes, namely tax administration and other authorized purposes. [PVR-02]

  2. Related NIST 800-53 Privacy Controls include, but are not limited to:

    1. Authority and Purpose:
      1. AP-1: Authority to Collect

    2. Use Limitation:
      1. UL-1: Internal Use
      2. UL-2: Information Sharing with Third Parties

10.5.1.4.2.3  (06-15-2016)
Minimizing Collection, Use, Retention, and Disclosure [PVR-03]

  1. The collection, use, retention, and disclosure of PII will be limited to what is minimally necessary for the specific purposes for which it was collected, unless specifically authorized. [PVR-03]

  2. Related NIST 800-53 Privacy Controls include, but are not limited to:

    1. Authority and Purpose:
      1. AP-2: Purpose Specification

    2. Accountability, Audit and Risk Management:
      1. AR-7: Privacy-Enhanced System Design and Development

    3. Data Minimization and Retention:
      1. DM-1: Minimization of Personally Identifiable Information
      2. DM-2: Data Retention and Disposal
      3. DM-3: Minimization of PII used in Testing, Training and Research

10.5.1.4.2.4  (06-15-2016)
Openness and Consent [PVR-04]

  1. The IRS will make its privacy policies and practices readily available to individuals, such that individuals will be informed of the collection, use, retention, and disclosure of their PII, and will obtain individuals’ consent to the greatest extent practicable. [PVR-04]

  2. Related NIST 800-53 Privacy Controls include, but are not limited to:

    1. Individual Participation and Redress:
      1. IP-1: Consent

    2. Transparency:
      1. TR-1: Privacy Notice
      2. TR-2: System of Records Notices and Privacy Act Statements
      3. TR-3: Dissemination of Privacy Program Information

10.5.1.4.2.5  (06-15-2016)
Strict Confidentiality [PVR-05]

  1. PII will only be accessed by or disclosed to authorized individuals who require the information for the performance of official duties. Browsing of confidential information, including PII, by unauthorized IRS employees or contractors will not be tolerated. Protected information includes confidential information of all individuals, not just taxpayers. Protected information includes, but is not limited to, confidential information of IRS employees, volunteers, practitioners, and other individuals who interact with the IRS. [PVR-05]

  2. Related NIST 800-53 Privacy Controls include, but are not limited to:

    1. Accountability, Audit and Risk Management:
      1. AR-4: Privacy Monitoring and Auditing

    2. Use Limitation:
      1. UL-1: Internal Use

10.5.1.4.2.6  (06-15-2016)
Security [PVR-06]

  1. Appropriate administrative, technical, and physical safeguards will be provided to protect against the unauthorized collection, use, and disclosure of SBU data, including PII. [PVR-06]

  2. Related NIST 800-53 Privacy Controls include, but are not limited to:

    1. Data Quality and Integrity:
      1. DI-2: Data Integrity and Data Integrity Board

    2. Security:
      1. SE-1: Inventory of Personally Identifiable Information
      2. SE-2: Privacy Incident Response

10.5.1.4.2.7  (06-15-2016)
Data Quality [PVR-07]

  1. Requirements governing the accuracy, completeness, and timeliness of PII will be to ensure fair treatment of all individuals. Information will be collected, to the greatest extent practicable, directly from the individual to whom it relates. [PVR-07]

  2. Related NIST 800-53 Privacy Controls include, but are not limited to:

    1. Data Quality and Integrity:
      1. DI-1: Data Quality

10.5.1.4.2.8  (06-15-2016)
Verification and Notification [PVR-08]

  1. All information about individuals will be verified with the individual, as well as any other relevant sources, to the greatest extent possible before adverse action is taken based on that information. Individuals will be notified prior to final action to the greatest extent possible. [PVR-08]

  2. Related NIST 800-53 Privacy Controls include, but are not limited to:

    1. Data Quality and Integrity:
      1. DI-2: Data Integrity and Data Integrity Board

10.5.1.4.2.9  (06-15-2016)
Access, Correction, and Redress [PVR-09]

  1. Individuals will be able to access and correct their PII upon request to the maximum extent allowable. Individuals include, but are not limited to, taxpayers, IRS employees, IRS contractors, practitioners, and others who interact with the IRS. Individuals will be able to contest determinations made based on allegedly incomplete, inaccurate, or out-of-date PII to the maximum extent allowable. [PVR-09]

  2. Related NIST 800-53 Privacy Controls include, but are not limited to:

    1. Individual Participation and Redress:
      1. IP-2: Individual Access
      2. IP-3: Redress
      3. IP-4: Complaint Management

10.5.1.4.2.10  (06-15-2016)
Privacy Awareness and Training [PVR-10]

  1. IRS employees and contractors will be made aware of, and appropriately trained, in the proper treatment of SBU data, including PII. [PVR-10]

  2. Related NIST 800-53 Privacy Controls include, but are not limited to:

    1. Accountability, Audit and Risk Management:
      1. AR-5: Privacy Awareness and Training

10.5.1.4.3  (06-15-2016)
Privacy in Practice

  1. IRS Privacy in Practice includes protecting privacy in systems and safeguarding privacy in everyday business practices. All IRS activities should contain an element of privacy. A culture of privacy prevails through Privacy in Practice; from systems development to customer service, training, communications, passwords, and the clean desk policy.

  2. Designing privacy into projects is a key aspect of effective privacy policy and compliance at the IRS.

    1. This concept reflects the principle that organizations best achieve privacy goals when they weave privacy proactively into business processes and operational practices.

    2. To be effective, privacy principles should be introduced early in a project life cycle, in architecture planning, system design, and the development of operational procedures.

  3. PGLD PPC personnel serve as privacy advocates and consultants for all employees and projects.

  4. Invite PPC privacy personnel whenever necessary at all project stages.

  5. To request assistance or for further information, email *Privacy (privacy@irs.gov). Refer to the Enterprise Architecture website:
    http://ea.web.irs.gov/arch/

10.5.1.5  (06-15-2016)
Servicewide Privacy Roles and Responsibilities

  1. The IRS implements privacy roles and responsibilities for employees and contractors in accordance with federal laws and privacy guidelines.

10.5.1.5.1  (03-10-2017)
Employees

  1. All IRS employees should:

    1. Keep informed of and adhere to applicable IRS privacy policies and procedures.

    2. Limit access to records containing SBU data, including tax information and PII, to that which is required to carry out their official duties.

    3. Use SBU data only for the purposes for which it was collected, unless other purposes are legally mandated or authorized.

    4. Limit the disclosure of SBU data to that which is necessary and relevant for tax administration and other legally mandated or authorized purposes.

    5. Prevent unnecessary access, inspection, and disclosure of SBU data in information systems, programs, electronic formats, and hardcopy documents by adhering to proper safeguarding measures.

    6. Complete IRS annual and role-based privacy, information protection, and disclosure training requirements, UNAX awareness briefings, and all other specialized privacy training, as required.

    7. Immediately complete Form 11377-E, Taxpayer Data Access, to document the access of taxpayer return information when the accesses are not supported by direct case assignment, were performed in error, or when the access may raise a suspicion of an unauthorized access.

    8. Stay aware of the consequences of UNAX violations, including accessing their own records, those of co-workers, family, friends, celebrities, and other covered relationships. For information regarding the Servicewide UNAX program and links to all UNAX forms, refer to the webpage:
      https://organization.ds.irsnet.gov/sites/vldp/DEP/unax/Pages/default.aspx

    9. Immediately report to Treasury Inspector General for Tax Administration (TIGTA) any indications of intentional unauthorized accesses or disclosures of returns or return information in paper or electronic form. Refer to the section Unauthorized Access and Disclosures of Returns or Return Information in IRM 11.3.1, Introduction to Disclosure.

    10. Report inadvertent improper disclosures to the Office of Disclosure, following the guidance in IRM 11.3.38, Role and Responsibilities of Disclosure Managers.

    11. Safeguard IRS information and information systems entrusted to them.

    12. Report a loss, theft, or improper disclosure of sensitive information within one hour of becoming aware of the loss to:
      1. Their manager and
      2. The appropriate organizations based on what was lost or disclosed.

    For more information on reporting an incident, see IRM 10.5.4, Privacy and Information Protection, Incident Management Program, or the website:
    https://organization.ds.irsnet.gov/sites/vldp/Privacy/Report/Pages/default.aspx

10.5.1.5.2  (06-15-2016)
Senior Management/Executives

  1. Senior Management/Executives must:

    1. Work with the Director, PGLD to develop, implement, maintain, and enforce a program to protect all SBU data for which they are responsible in accordance with IRS privacy policies and procedures.

    2. Focus special emphasis on the government-wide requirements to eliminate the unnecessary collection and use of SSNs as a personal identifier for employee and tax systems and programs.

    3. Clearly communicate IRS privacy policies and procedures to all employees in their organizations, ensuring employees awareness of their responsibilities to protect SBU data and uphold applicable privacy laws, regulations, and IRS policies and procedures.

    4. Ensure personnel with authorized access to SBU data receive training to carry out their roles and responsibilities in a manner consistent with IRS privacy policies.

    5. Periodically assess and evaluate privacy awareness activities of their organization in order to set clear expectations for compliance with all requirements.

    6. Allocate sufficient resources to comply with IRS privacy policies and procedures.

    7. Ensure all employees and other individuals in their respective organizations comply with the IRS privacy policies and procedures. Also ensure any noncompliance is addressed and remedied promptly, including, if necessary, the initiation of penalties for noncompliance in accordance with federal law and IRS personnel rules and regulations.

    8. Take a proactive role in preventing UNAX violations in their respective areas. Ensure all managers, employees and contractors are trained and knowledgeable of the Taxpayer Browsing Protection Act of 1997, the consequences of UNAX violations for managers, employees and contractors, and that all employees within their business area complete all IRS UNAX, privacy, information protection and disclosure training requirements annually and as required for their position.

    9. Ensure Servicewide, alternative unique identifiers are used for internal and taxpayer systems and programs in place of SSNs when possible.

    10. Ensure proper safeguards are established to prevent unintentional exposure to SSNs in cases where SSN use is determined to be necessary.

    11. Ensure the SEID is used as the primary employee identifier as an alternative use for SSNs when possible.

    12. Ensure PCLIAs, for which they are the responsible official, are completed timely and mitigate any privacy risks discovered.

    13. Follow IRS records management requirements outlined in IRM 1.15.7, Records and Information Management, Files Management.

10.5.1.5.3  (03-10-2017)
System Owners

  1. IRS system owners must:

    1. Follow applicable laws, regulations and IRS privacy policies and procedures in the development, acquisition, implementation, operation, and disposal of all systems under their control.

    2. Ensure that the collection, use and sharing of SBU data from taxpayers, employees, and contractors is limited to that which is minimally necessary for tax administration purposes or other legally authorized purposes.

    3. Examine the use of SSNs in all information systems and programs, as well as hardcopy and electronic formats (for example, forms, printouts, screen shots, displays, electronic media, archives and on-line storage repositories) and eliminate the unnecessary use of SSNs where identified.

    4. Ensure that adequate SSN alternatives are employed, as necessary.

    5. Ensure, to the extent possible, that SBU data used by the IRS to complete business functions is accurate, relevant, timely, and complete.

    6. Ensure that all new systems, systems under development, or systems undergoing major modifications that contain SBU data have in place a completed and approved PCLIA in accordance with federal laws and IRS policy.

    7. Work with Privacy Compliance and Assurance (PCA) to ensure that approved PCLIAs for systems that contain SBU data or PII on the public are reviewed for redaction prior to being posted to IRS.gov.

    8. Coordinate with the system developer and PCA to ensure identified privacy risks are documented in their Plans of Action and Milestones (POA&Ms) and are resolved in a timely manner.

    9. Coordinate all inter-agency PII sharing agreements with GLDS and other affected IRS entities that establish and monitor the sharing of PII with external entities.

    10. Implement safeguards to establish and monitor internal and third party agreements for the protection of SBU data and to ensure the confidentiality of SBU data.

    11. Ensure that suspected or actual data loss incidents are reported within the timeframes required to management, the Computer Security Incident Response Center (CSIRC), and to TIGTA per requirements.

    12. Ensure that all IRS and contractor employees involved in the management, operation, programming, maintenance, or use of IRS information systems complete IRS UNAX and privacy, information protection and disclosure training prior to being granted access to those systems containing SBU data.

    13. Ensure that employees and contractors who have access to SBU data for testing follow have followed the requirements of IRM 10.5.8, Sensitive But Unclassified (SBU) Data Policy: Protecting SBU in Non-Production Environments. For more information, refer to the SBU Data Policy webpage:
      https://organization.ds.irsnet.gov/sites/vldp/Privacy/Risk/SBU-Data-Use-Policy/Pages/default.aspx

    14. Follow IRS records management requirements outlined in IRM 1.15.7, Records and Information Management, Files Management.

10.5.1.5.4  (06-15-2016)
System Developers

  1. System Developers must:

    1. Follow IRS privacy policies and procedures in the development, implementation, and operation of information systems for which they are responsible, including reviews of the use of SSNs by IRS systems.

    2. Work closely with system owners to eliminate the unnecessary collection and use of SSNs in all IRS systems.

    3. Develop information systems that provide the capability to partially mask, truncate, or redact the SSN when the total elimination of the use of SSNs is not possible in both personnel and tax systems.

    4. Work with system owners to eliminate unnecessary accessing, collecting, displaying, sharing, transferring, retaining, and using of the SSNs in personnel and tax systems.

    5. Establish, maintain, and test the management, operational and technical controls to protect SBU data.

    6. Complete system PCLIAs in concert with system owners and in accordance with IRS policy, if they are the responsible management official or designees.

    7. Coordinate with the system owners and PCA to resolve identified privacy risks.

    8. Perform system life cycle reviews to ensure satisfactory resolution of privacy risks and provide the results to the system owners.

10.5.1.5.5  (06-15-2016)
Authorizing Officials

  1. The Authorizing Official (AO) must develop and maintain additional operational documentation (such as action and implementation plans, standard operations procedures) necessary for implementation of the privacy controls, delineated in the IRM 10.5 series.

  2. The AO holds responsibility for implementation of privacy, including documentation and procedures for how their information systems are managed, administered, and monitored.

10.5.1.5.6  (03-10-2017)
Personnel Engaged in Procurement Activities

  1. Personnel engaged in procurement-related activities must:

    1. Review and understand the appropriate procurement-related training and guidance, including the Contracting Officer Representative (COR) Security, Privacy, and Disclosure Awareness Training and the Integrated Procurement System (IPS) Requisition User Manual.

    2. Ensure all IRS acquisitions and contract vehicles contain appropriate language holding contractors and other service providers accountable for complying with federal and IRS privacy policies and procedures.

    3. Ensure contract work statements specifically identify the appropriate System of Records Notice when SBU data is a part of the research, design, development, testing, or operation work to be performed.

    4. Review contract requirements to determine whether the contract will involve the design, development, or operation of a System of Records on individuals to accomplish an IRS function.

    5. Ensure compliance with the Federal Acquisition Regulations (FAR).

    6. Insert the following contract clauses in all acquisitions and procurement documents generated in support of an acquisition or procurement for the design, development, or operation of a Privacy Act System of Records:
      - FAR 52.224-1, Privacy Act Notification
      FAR 52.224-2, Privacy Act
      https://www.acquisition.gov/?q=browsefar/

    7. Support the appropriate level of contractor background investigation in cooperation with the Office of Contractor Security Management (CSM) and Office of Personnel Security (PS) as described in IRM 10.23.2, Personnel Security – Contractor Investigations. This includes working with PS to assign the correct risk designations, assist with contractor fingerprinting if needed, as well as identity card distribution. Contractors may need to be re-investigated every five years; the COR is responsible for initiating re-investigations.

    8. Ensure contractors take required security, privacy, disclosure, and UNAX training and complete Non-Disclosure Agreements within the required timeframes per CSM instructions.

    9. Ensure any contract involving the use of SBU data for testing follows the requirements of IRM 10.5.8, Sensitive But Unclassified (SBU) Data Policy: Protecting SBU in Non-Production Environments. For more information, refer to the SBU Data Policy webpage:
      https://organization.ds.irsnet.gov/sites/vldp/Privacy/Risk/SBU-Data-Use-Policy/Pages/default.aspx

    10. Ensure contractors receive and understand the PCLIA when supporting that a project with a PCLIA.

    11. Ensure the contractor understands incident response requirements. If an incident is suspected, ensure that the CO and the Situation Awareness Management Center (SAMC) are notified within an hour, and the contractor identifies an acceptable point-of-contact to collaborate with IRS on handling the incident.

    12. Report UNAX by a contractor to TIGTA and Procurement.

    13. Collaborate with CSM at contract closeout to ensure system and facilities accesses are revoked and all IRS data is returned or purged as required by the contract.

    14. For more information, see the Procurement 101 website:
      https://portal.ds.irsnet.gov/sites/DCOSProcurement/p101/SitePages/Home.aspx

    [AR-3]

10.5.1.6  (03-10-2017)
Privacy Policy on Everyday Issues

  1. These sections describe privacy policy in terms of common issue areas. Many of these areas interrelate with each other, physical protection, and IT security practices.

  2. For more information, refer to the PGLD web page:
    https://organization.ds.irsnet.gov/sites/vldp/default.aspx
    For additional help, email *Privacy (privacy@irs.gov).

10.5.1.6.1  (06-15-2016)
Protecting and Safeguarding SBU Data and PII

  1. Regardless of the risk, employees must protect and safeguard SBU data. This means employees must properly collect, access, use, share, and dispose of SBU data.

10.5.1.6.1.1  (06-15-2016)
Defining PII versus Sensitive PII

  1. Little difference exists between PII and what employees refer to as "sensitive" PII.

  2. PII is any information that can be used to distinguish or trace an individual’s identity, or that is linked or linkable to an individual. See the Definition of PII section in this IRM for a complete definition with examples.

  3. The level of risk increases with the potential level of harm caused by exposed SBU data or PII.

  4. Context remains important. PII that does not seem high risk may still require protection if its context makes it risky. For example, a collection of names:

    • Is not Sensitive PII if it is a list, file, query result, etc., of:
      - Attendees at a public meeting.
      - Names out of a public telephone book.
      - FOIA listing of IRS employees in non-protected positions.

    • Is Sensitive PII if it is a list, file, query result, etc., of:
      - Individual taxpayers who filed returns.
      - Law enforcement personnel.
      - Employees with poor performance ratings.

  5. For more information, see the Deciding Risk Levels for SBU Data and PII section of this IRM.

10.5.1.6.1.2  (03-10-2017)
Deciding Risk Levels for SBU Data and PII

  1. If SBU data or PII is lost, compromised, or disclosed without authorization, it could result in substantial harm, embarrassment, inconvenience or unfairness to an individual or the IRS.

  2. Harm includes any adverse effects experienced by an individual whose PII was compromised, or adverse effects to the IRS such as a loss of public confidence.

  3. The greater the potential for harm, the more at risk the SBU data or PII becomes. As outlined in NIST SP 800-122:

    1. PII with a low confidentiality level means limited potential harm with minor impact on an individual or the IRS.

    2. Low confidentiality level SBU data or PII would include, for example, information that can be released under FOIA requests, or information that has become public record. See the FOIA and Public Record sections of this IRM for more information. The SEID is an example of low risk PII.

    3. PII with moderate or high confidentiality levels means the potential harm ranges from serious to severe or catastrophic, with significant to severe impact to an individual or the IRS. Tax information is an example of high risk PII.

  4. The greater the risk to SBU data and PII, the stronger the privacy and security protections become. [NIST SP 800-122]

  5. When in doubt about the level of risk of SBU data and PII, or the privacy concerns around the data, email *Privacy (privacy@irs.gov) for assistance.

  6. For more information on the IT aspects of data security, refer to IRM 10.8.1 , Information Technology (IT) Security, Policy and Guidance.

10.5.1.6.1.3  (03-10-2017)
Limiting Sharing of SBU Data and PII

  1. All SBU data must be protected. What SBU data may be shared is limited.

  2. Follow extensive Disclosure rules in the IRM 11.3.x family, Disclosure of Official Information.

  3. Internally: Only share SBU data and PII with another IRS employee or contractor if the recipient’s need for the information is related to his or her official duties.

  4. The electronic transmission of SBU data requires encryption for security purposes. See the Encryption section of this IRM for more information.

  5. Release of tax information (whether of an individual or business) is restricted by the confidentiality provisions of IRC § 6103(a). Share tax information only with authorized individuals following established written procedures.

    Note:

    Removing identifying information (i.e. Name/TIN) from specific tax records does not remove it from the confidentiality protections of IRC § 6103.

  6. Externally: Only share SBU data and PII with authorized individuals outside of IRS, in encrypted files, if all these conditions are met:

    1. Individual authorized to receive it under law or regulation, such as IRC § 6103.  Authority may be established by a formal request for information processed using established written procedures, or a memorandum of understanding or executed agreement which also establishes the secure method of transmission for the data. 

    2. Authorized to release and receive the information by email.

    3. Recipient need for the information related to official duties.

    4. Recipient authenticated.

    5. Recipient accepted information and any obligation to protect.

    6. Access controls limited to those with need to know.

    7. The applicable System of Records Notice (SORN) includes the use as a published routine use. Refer to the PGLD website:
      https://organization.ds.irsnet.gov/sites/vldp/disclosure/FOIAPriv/privacyact/pasor/Pages/default.aspx

  7. Refer to the IRM 11.3 series (Disclosure of Official Information) or email *Disclosure (disclosure@irs.gov) for additional guidance.

10.5.1.6.1.4  (06-15-2016)
Extracting SBU Data or PII

  1. Employees should not create unauthorized, unnecessary, or duplicative collections of SBU data or PII, such as duplicate, ancillary, shadow, personal copies, or "under the radar" files.

  2. If creating new spreadsheets or databases containing SBU data or PII from a larger file or database is necessary, consider whether a PCLIA is required.

    1. To do so, submit a Qualifying Questionnaire, or email *Privacy (privacy@irs.gov).

    2. For more information on the Qualifying Questionnaire and PCLIA process, refer to IRM 10.5.2, Privacy Compliance and Assurance (PCA) Program.

  3. To protect hard copy extracts of SBU data or PII, employees shall:

    1. Limit a print, copy, or extract of SBU data or PII from a larger data set to include only the specific data elements needed to perform the task at hand when possible.

    2. Delete or destroy duplicate copies of SBU data or PII used to perform a particular task or project when no longer needed.

      Note:

      Follow the appropriate procedures for the deletion or destruction of the media or hardcopy.

  4. For more information, refer to IRM 2.7.4, Magnetic Media Management.

10.5.1.6.2  (06-15-2016)
Encryption

  1. Encryption is an important tool in the IRS’s protection of SBU data.

  2. For more details about emailing and encrypting SBU data, see the Email section of this IRM.

10.5.1.6.2.1  (06-15-2016)
External

  1. Protect all SBU data processed, stored, or transmitted outside the IRS with IT-approved encryption methods, unless specifically excluded in the IRM. This includes, but is not limited to, SBU data in email, on mobile computing devices, and on computers and mobile devices.

  2. Refer to specific requirements in these IRMs:

    • IRM 1.15, Records and Information Management series.

    • IRM 10.2, Physical Security Program series.

    • IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance, in the Encryption, Access Control, Media Protection, and Physical and Environmental Protection sections.


More Internal Revenue Manual